What would you do in a scenario like this?
You are about to get into your car when a masked man pulls a gun and takes your keys.
"Here's how this is going to work," he says. "You get your keys back if you give me $100 right now. Otherwise, I keep the keys and I'm driving away in your $30,000 car."
If you think about it, a ransomware demand is kind of like that.
Just ask the City of Baltimore.
It chose to "give up the car" and now says costs of the ransomware attack have reached $18 million including remediation, new hardware, and lost or deferred revenue.
This has many taxpayers in Baltimore wondering: why didn't you pay hackers $80,000 in cryptocurrency for "the keys" to unlock city systems?
Baltimore city leaders have just answered that question in statements to reporters and on social media.
Baltimore defends decision not to pay ransom
Mayor Bernard C. Jack Young took to Twitter to defend his decision not to pay the ransom.
Ironically, it's the same social media platform the hacker used to taunt city leaders.
Here is what Mayor Young had to say:
"Why don't we just pay the ransom? I know a lot of residents have been saying we should've just paid the ransom or why don't we pay the ransom?
Well, first, we've been advised by both the Secret Service and the FBI not to pay the ransom. Second, that's just not the way we operate. We won't reward criminal behavior.
If we paid the ransom, there is no guarantee they can or will unlock our system.
There's no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there's no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future.
Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I'm confident we have taken the best course of action."
And the Mayor's Deputy Chief of Staff for Operations, Sheryl Goldstein, told reporters:
"The federal investigators have advised us not to pay the ransom. The data shows you have less than a 50-50 chance of getting your data back if you pay the ransom, and, even if you pay the ransom, you still have to go within your system and make sure they’re out of it.
You couldn’t just bring it back up and believe they were gone, and so we would be bearing much of these costs regardless."
Post in comments reacting to these statements: "Where are your backups?"
Paying hackers after ransomware infection: no consensus
If there is a consensus on this topic, it sure is tough to find.
Atlanta refused to pay the ransom in its cyber incident last year.
But many other cities have decided to pay the ransom.
West Haven, Connecticut, paid the ransom and perhaps felt guilty about it because it told residents this was a "one-time fee" instead of using the word "ransom."
"... our police IT experts determined the best course of action, given all the available information, was to pay a one-time fee of $2,000 to unlock servers. The money was paid in digital currency. The data restoration of a critical system occurred shortly after the completion of that transaction."
The City of Valdez, Alaska, also paid. Watch the video to see what it demanded from hackers before handing over the crypto:
Sometimes, even if an organization doesn't want to pay, it may feel like it has no choice.
That's exactly what happened to Roseburg, Oregon, according to The News-Review, after the school district said the FBI advised not paying the ransom:
“We exhausted all efforts to avoid paying the requested ransom out of concern that more damage could be caused; however, the experts ultimately determined that the solution was worth the risk,” Roseburg Public Schools Superintendent Gerry Washburn said.
But for some leaders, refusing to pay the ransom is showing support for truth, justice, and the American way. Just ask the CEO of a utility company in North Carolina, who announced this to his staff:
"Do you bow your head, weakly, and say we'll pay you and risk another attack? Or do you look 'em in the eye and say we're Americans, we're North Carolinians, and by golly, we'll survive this too. That's what we say. That's what we're telling the cybercriminals and the world."
And right now, that's the type of message Baltimore city leaders are sending to hackers, as well.